Microsoft has disclosed a recently patched security vulnerability within Apple’s macOS. This flaw, which was successfully addressed in a recent update, potentially allowed attackers to exploit a weakness in the operating system’s System Integrity Protection (SIP). If leveraged effectively, an attacker operating with “root” privileges could bypass SIP and inject malicious kernel drivers by utilizing third-party kernel extensions.
The identified vulnerability is designated as CVE-2024-44243, receiving a medium severity rating with a CVSS score of 5.5. Apple rectified this issue in the macOS Sequoia 15.2 update released last month. Apple has categorized the flaw as a “configuration issue,” one that could enable malicious applications to alter safeguarded regions of the file system.
Jonathan Bar Or from the Microsoft Threat Intelligence team articulated the risks associated with bypassing SIP, indicating that such exploits could pave the way for attackers to install rootkits, develop persistent malware, and bypass essential security measures like Transparency, Consent, and Control (TCC). These actions could significantly amplify the attack surface relevant to further compromises and exploits.
SIP, often referred to as rootless, serves as a critical security framework designed to prevent unauthorized software from interfering with the protected sections of macOS, such as /System, /usr, /bin, /sbin, and /var directories. This system enforces stringent rules against modifications by the root user account, permitting changes solely to processes signed by Apple or those with special permissions, like Apple’s own software updates and installers.
Within SIP’s architecture, two specific entitlements play a crucial role: “com.apple.rootless.install,” which allows a process to bypass SIP file system restrictions, and “com.apple.rootless.install.heritable,” which extends these privileges to all child processes. CVE-2024-44243 represents the latest instance of SIP being compromised, following earlier vulnerabilities identified in CVE-2021-30892 (Shrootless) and CVE-2023-32369 (Migraine).
The exploit leverages the Storage Kit daemon’s entitlement to bypass SIP protections effectively. By exploiting “storagekitd’s ability to run arbitrary processes without the necessary validation,” an attacker could introduce a new file system bundle to the /Library/Filesystems directory. This action could lead to the overwriting of binaries associated with existing system utilities, such as Disk Utility, which would be triggered during operations like disk repair.
Bar Or elaborated that if an attacker can execute operations as a root user, they could place a new file system bundle in /Library/Filesystems and subsequently instruct storagekitd to launch custom binaries, thus circumventing SIP protections. Notably, triggering operations on a newly created file system could also lead to breaches in SIP protections.
This advisory follows closely on Microsoft’s previous disclosures regarding vulnerabilities in Apple’s TCC framework, such as CVE-2024-44133, which too can be exploited to access sensitive data.
The bypassing of SIP raises significant concerns, as it undermines the foundational reliability of the operating system. Bar Or noted that if SIP fails, it can compromise the integrity of all security solutions on the device, allowing threat actors greater freedom to manipulate or disable these protections. Jaron Bradley, Director of Threat Labs at Jamf, emphasized the ongoing allure of SIP for both security researchers and malicious actors, as many of Apple’s security frameworks depend on SIP’s resilience. With its low-level implementation, the best safeguard for users remains current software updates to mitigate such vulnerabilities promptly.
